WITH INCREASING frequency, the pivotal evidence in cases is electronic, often in those e-mails that we dash off with such abandon and so little thought.

Another source of pivotal evidence that many lawyers are blithely unaware of: the "metadata" (hidden data that shows such things as authors, dates of creation, modification and access, last time that the document was printed, tracked changes, etc.) that goes along with documents unbeknownst to the senders. Another example of metadata are the headers (message tracking information) that accompany an e-mail transmission. The headers may identify the sender’s IP address and the mail client that was used. This is often the most compelling evidence of all – and it will not show up in printed copies of documents or messages. You must have the evidence electronically, to the chagrin of those still happiest wading through boxes of documents.

If there was ever a day when attorneys could play ostrich and stick their heads in the sand ignoring electronic evidence, that day has long passed.

The Dividing Lines

Understandably, many people are confused by the distinctions between electronic evidence and computer forensics. Basically, a computer forensic technologist makes a bit-by-bit image of the hard drives(s) or other media at issue and identifies the relevant evidence, generally using search terms or data parameters provided by the attorneys. The technologist will analyze Internet activity usage, application usage, and e-mail utilization, including Web-based e-mail. Once the evidence has been extracted and partially analyzed, the computer forensics portion is finished.

If the forensics firm does not also provide comprehensive evidence analysis, it will burn the electronic evidence onto CDs or DVDs, in a form readable to the attorney or to an electronic evidence company. If the volume of evidence is small, it is often sent directly to the attorney. If the volume is large, it is usually sent to an electronic evidence company which then indexes, de-dupes and sorts through the evidence, often importing it into software to facilitate managing the vast amount of information.

Selecting a Computer Forensics/Electronic Evidence Company

How do you find a good expert? Here are some of the factors you should consider in selecting the specific forensic technologist for your case:

• Review the firm’s forensics certifications. Currently, the most prestigious certification available to private firms is the EnCE (EnCase Certified Examiner) issued by Guidance Software. More certifications are emerging and will gain credibility over time, but in the private sector, the EnCE is the certification to look for.

• Look for technical certifications. A good forensic technologist will have a lot of letters after his/her name, indicating a broad range of certifications with a number of different technologies. If you see no certifications, or a "base-level" certification (such as A+), you do not have an individual with a wealth of experience.

• Get the CV early on and study it. Ask questions. Does it show that the expert has spoken at a lot of seminars and/or written a lot of articles? How many courts has the expert qualified in? What is the expert’s educational and professional background?

• Get several references and check them out. Did the expert do a thorough, professional job? Was the expert responsive when contacted? Was the work completed on time? Did the expert reasonably stay within budget or at least alert the client of additional costs before incurring them?

What Next?

If the hard drive or other media is in your possession (or your client’s), do NOTHING with it yourself. Do not even power it up. Booting up a typical Windows operating system changes the dates and times on approximately 400-600 files. Do not let your IT staff or that of your client conduct their own investigations. They are not forensically trained and might unwittingly trample on the evidence, changing what may be critical dates, such as the date of last access, modification, etc. The trampled evidence may not be admitted at all, or it may be regarded as suspect because it was not forensically acquired.

Make sure you send a preservation of evidence letter. The other side is going to be hard pressed to argue innocence when confronted with spoliation of evidence charges if they have received a preservation of evidence letter. Be as specific as possible in the letter and not overbroad, so that fair notice is given of the kind of evidence to be preserved. The more specifics you can give, the less excuse there is for having evidence that vanishes or is tampered with.

Normally, you will be asking experts to preserve:

• E-mail (electronic versions), along with header information, archives and any logs of e-mail system usage;
• Data files created with word processing, spreadsheet, presentation or other software;
• Databases and all log files that may be required;
• Network logs and audit trails;
• Electronic calendars, task lists, telephone logs, and contact managers.

Make sure you note in your letter that these things may exist in active data storage, including servers, workstations, and laptops and in offline storage including backups, archives, floppy disks, zip disks, tapes, CD-ROM, DVDs, memory sticks and any other form of media. Caution that potentially discoverable data should not be deleted, moved, or modified.

With respect to users who may have discoverable information on their computers, new files should not be saved to existing drives or media, no new software should be loaded, and no data compression, encryption, defragging or disk optimization procedures should be run until an image of the hard drive has been acquired. Ask that the normal rotation and overwrite of backup media cease until copies can be made. Also mention that no media storage devices containing potentially discoverable information should be disposed of due to upgrades, failure, donation or for any other reason.

If the case seems to require it, get a protective order. Set out specifics so there can be no misunderstandings. When do you need one? A good example was provided by the Enron/Arthur Andersen debacles, where it became known that shredding papers and wholesale electronic deletions were taking place. If you can present a judge with any sort of credible scenario suggesting that spoliation may occur, you are very likely to be granted a protective order.

Onward to Discovery

Make your discovery illuminating and clear. Define everything at some length, encompassing all forms of media, all manner of things that may be considered responsive, and all possible locations.

Use interrogatories to get relevant information about the target computer network. It is a common error to focus solely on the server and the workstations and to forget other data sources.

Some questions to ask are: What kind of network are you dealing with? How is the network configured? What is the operating system? What is the class of machine? What are the applications, both off-the-shelf and custom? What sort of back-up system is used? When is backup media overwritten? Who is the systems administrator? Are home computers used for business? Are laptops or PDAs used? Is there a digital copier hooked up to the network? Are cell phones or pagers used? Is there remote access? What sort of e-mail package is used? Is a firewall used? Is there an e-mail server? Who is the Internet network provider? Where is e-mail stored for transmission, retrieval and archiving?

Depose the system administrator and other parties in the IT department who are likely to have relevant information about the computer system. Again, make sure you receive full information about the back-up system (often a treasure trove) and all possible data locations.

It is common practice, though certainly not universal, to have monthly back-up tapes (or other media) going back six months to several years. Make sure you have information about the hardware/software used to create the back-ups. Your forensic technologist may need to recreate the native environment in order to restore data from the back-up media. Get a copy of the backup schedule for both incremental and full back ups. Find out how the backup media is rotated. Understand what logging is done on the network and what audit trails may exist. Audit trails may tell you what ID accessed the system, when, how long they were connected, and what they did. They may also tell you which ID copied, printed, deleted or downloaded files and when it was done.

Find out if the company uses any monitoring software. If so, there may be a wealth of information indicating programs used, files accessed, e-mail that employees sent or received and records of the Internet sites they visited. Find out also how security access is structured. Who had access to which files and programs? Who had read-only access and who had write access? For relevant individuals, get user names, logons, passwords, and e-mail addresses. Find out about any encryption programs that may be utilized and request the encryption keys.

Ask every witness about his or her computing habits. Do they make individual back-ups of their system? Do they use floppy disks, zip disks, CD-ROMs or thumb drives to copy some information from their systems as a back up or for portability reasons? Do they use their home computer to check their business e-mail? Do they do business work on the home computer? Where do they store their documents? For instance, is any work saved on a secretary’s workstation? Do they use a laptop, PDA, cell phone, and/or pager?

Request to inspect and forensically acquire any relevant data. The acquisition should be done by a trained forensic technologist using specialized tools. If there is an objection because of the time element and disruption to business, your expert can help offer alternatives to minimize the disruption.

Bear in mind that "deleted" doesn’t mean deleted. In computer terms, deleted means that the space on the disk once occupied by a particular file is now available to be overwritten. The pointers to the deleted file are gone, but bits and pieces of the file, or the whole file, will remain until they are overwritten. Whatever remains of the file (called "residual data") may be recovered from the area of the disk’s surface that is not allocated (this is known as "unallocated space" and it often contains valuable evidence if painstakingly searched).

Maintain data integrity. A good forensics technologist will write-protect all media as part of the acquisition, making sure that nothing can be added, erased or altered on the original. For the same reasons, the technologist will virus check all media. The technologist will never clean the virus from the original media, but will do so from the acquired evidence instead if the virus impacts the data to be produced.

Establish and maintain a chain of custody. Make sure you can track the evidence from its original source to its introduction in court. This means being able to prove that no information was added, deleted or altered, that the forensic copy of the evidence is complete, that the process used to copy the evidence was dependable and repeatable, and that all media was secured. Always important: evidence in the case should be kept secure, with very restricted access.

Home | About the Bar | For Members | For the Public | Legal Links | Publications | Online Store
Lawyer Referral Service | Law-Related Education | NHBA•CLE | NHBA Insurance Agency | NHMCLE
Search | Calendar

New Hampshire Bar Association
2 Pillsbury Street, Suite 300, Concord NH 03301
phone: (603) 224-6942 fax: (603) 224-2910
email: NHBAinfo@nhbar.org
© NH Bar Association Disclaimer